AppSec California 2020

Modern web architecture relies on enabling ‘third-parties’ to access the client-side (front-end) of a web application.  These third parties operate via largely unmanaged and unmonitored connections to provide richness (chat tools, images) or extract analytics (Google Analytics). Up to 70% of the code executing on websites today comes from such third parties. Website owners have great reason to care about leakage from vulnerable client-side connections since the business and financial implications of losing customer data has never been greater.

The three most important security considerations of any website or web application are the server (back-end), the network, and the client (front-end).
Regulatory mandates like GDPR and CCP and prescriptive frameworks such as PCI-DSS have driven significant adoption of WAF and HTTPS. While these strategies were sound in the past, they are no longer adequate to protect web applications against new and advanced attacks that focus on attacking the client-side (front-end). As defined above, there are three security considerations for safeguarding your customer’s end-to-end website experience. To follow the nomenclature defined in the widely considered PCI-DSS framework consider these as:
- Data at rest
- Data in motion
- Data origination
Today, security frameworks and most security practitioners consider only two of these three when evaluating security capability.

Data at Rest defines content that typically resides on owned servers protected by massive security perimeters and on company owned premises. This data includes PII, credit card numbers, financial information and credentials. WAFs, firewalls and the like are deployed to provide effective defense for data at rest. “Data in Motion” refers to data in transit. This is easily envisioned as this same sensitive data moving from a website form that captures PII, credit card information, credentials, etc. back to secure storage. Data in motion is often encrypted by HTTPS transactions. In fact, many security-savvy online consumers put a lot of faith in seeing the HTTPS designation as ensuring the end-to-end security of their online transaction.

Unfortunately, security specification for securing the point of “Data Origination” is largely missing. Data Origination is the point at which data is created as it is input into a website or web application. This data origination point is increasingly the browser as a site visitor or online shopper enters information into a form including user credentials, credit card numbers, healthcare data, financial data etc. Such datasets are hiwas found to exist on less that 2% of websites. Consider the extreme lack of deployed client-side security measures that would ensure protections for this point of data origination and it’s easily understood why attacks like Magecart, Formjacking and XSS are rapidly accelerating.